Skybox Security, Inc. has published a best practices guide for the planning and implementation of a proactive IT SRM program.

The SRM Blueprint aims to help organisations transform their point-level security programs into a cohesive decision support and analysis program and reclaim millions of dollars annually as the result of inefficient IT risk management practices. Organisations can now identify where they are in the maturity continuum where they want to go and the practical steps necessary to get there.

The SRM Blueprint is written for the Chief Information Security Officer (CISO) and head of IT Operations who are responsible for the resources, processes and goals of their respective organisations. These organisations are focused on IT security risk assessment and management, vulnerabilities mitigation, enforcement of network availability and security policy, and change management. The guidance contained within the SRM Blueprint is vendor-neutral and organised in five (5) sections:

1. Reviews the current state of IT Security Risk Management.
   
2. Describes the barriers that must be addressed in order to transition from a reactive to proactive SRM practice.
   
3. Defines an SRM program, its key processes, and how analytics and automation tools can play a pivotal role.
   
4. Provides guidance as to how organisations can move up the security maturity hierarchy, and
   
5. Highlights the applications of a proactive program.

Security Risk Management is often misunderstood. Its not just about technology its about achieving the right level of security spending, knowing that your security is better today than yesterday, and understanding the real risks facing your business. The SRM Blueprint gives security and network teams a framework for weighing their options and making decisions, rather than simply chasing vulnerabilities around the hamster wheel day after day, said Andrew Jaquith, senior analyst of Yankee Group.

SRM Blueprint Market Drivers and Benefits
IT security remains the great unknown. Point-level security tools generate an overwhelming amount of data, numerous false positives and lack actionable intelligence.

As a result, the industry often hears the common phrase: You cant manage what you cant measure. The desire to measure IT security effectiveness is driving many organisations to elevate their reactive approach to one that is more proactive. This includes the ability to predict future problems as well as identify root causes driven by a continuous and measurable process. By doing so, organisations can prepare for and respond to threats and policy violations in a calm and rational manner while determining the most effective action items for the elimination of the exposure.

Whats been missing is a Security Risk Management blueprint that defines IT SRM as a best practice. By reading adopting the SRM Blueprint, organisations will understand the steps necessary to transition existing security programs from a reactive to a more proactive practice, enabling them to achieve the following benefits:

1. A proactive, disciplined, visible and measurable IT SRM best practice.
   
2. A central repository of all your risk, control and policy-related data.
   
3. Better visibility into the state of your IT security profile by presenting objective risk and policy exposure metrics and their trends.
   
4. Reduced IT workload through efficient resource utilisation and control optimisation.
   
5. A common language that puts the executive, security, operation and audit teams on the same page.
   
6. Improve resource utilisation by aligning resources with the appropriate level of risk.
   
7. Demonstrate compliance to audit and regulatory requirements.
   
8. Verifiable effectiveness of your IT SRM program and proof that your organisation is making continuous improvement.

Business owners, CISO and IT operations management need better decision support and analysis tools. The SRM Blueprint represents a measurable and continuous best practice to help their organisations understand the contribution and effectiveness of each layer of security. With the SRM Blueprint organisations can transform security from the great unknown to a business enabler that can be measured and improved over time, said David Batista, president and CEO of Skybox Security.

Skybox has launched a new consulting service that will assist organisations and government agencies to perform gap analysis of their current SRM program. By doing so, the organisation can develop a roadmap for the implementation of SRM best practices based on their priorities.

A free Managers Guide to the SRM Blueprint is available at the link below.

[Whereas what Skybox say in their blueprint is undoubtedly correct I don't understand what leads them to the conclusion that this is not already being done. Applying metrics and maturity models to risk management is nothing new, nor is operating corporate security within well-defined architectures. All the large consulting companies advice on these things, and authors are constantly publishing papers about them in ISB. Best practices are constantly being developed and progressed. --Ed].

Related links: (Open in a new window.)
www.skyboxsecurity.com

View printable version (opens in new window)
Back